The 2026 entries are the ones that need immediate attention: CVE-2026-41091 (Microsoft Defender Elevation of Privilege) and CVE-2026-45498 (Defender Denial of Service) are both actively exploited and affect a product that sits at the center of most Windows enterprise security stacks. The other five are the quiet horror: Windows Server Service (CVE-2008-4250), QuickTime DirectShow (CVE-2009-1537), Adobe Reader heap overflow (CVE-2009-3459), IE's Aurora exploit (CVE-2010-0249), and the IE Peerdist handler (CVE-2010-0806). These are 16-year-old CVEs confirmed still in use in 2026, which says something unflattering about the persistence of unpatched legacy systems in the wild. Patch the Defender flaws now; treat the legacy entries as a signal to audit your exposure surface.